This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

I found an interesting issue from below pcap log: https://www.dropbox.com/s/g7fgpmhcepy2yw5/04_05_FragmentHeader.cap?dl=0

For 2nd packet, wireshark reads fragment offset value in fragment reader as '181' while Microsoft Network Monitor interpret it as '1448'. It looks like a bug to me.

Wondering anyone else is seeing the same ?

PS: I am using Version 1.12.1 (v1.12.1-0-g01b65bf from master-1.12)

asked 04 Feb '15, 18:07

Gallon's gravatar image

Gallon
16557
accept rate: 0%


Per RFC 2460:

Fragment Offset: 13-bit unsigned integer.  The offset, in 8-octet
                 units, of the data following this header,
                 relative to the start of the Fragmentable Part
                 of the original packet.

What Wireshark is displaying is the raw value in 8 bytes unit, not the number of bytes. 181*8 = 1448.

permanent link

answered 05 Feb '15, 01:47

Pascal%20Quantin's gravatar image

Pascal Quantin
5.5k1060
accept rate: 30%

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×51
×30

question asked: 04 Feb '15, 18:07

question was seen: 1,810 times

last updated: 05 Feb '15, 01:47

p​o​w​e​r​e​d by O​S​Q​A